TrickBot is a traditionally Windows based crimeware botnet that has been utilized by threat actors since 2016. It performs a wide range of malicious activities on target networks, including credential theft and as a conduit to perpetrate ransomware attacks. Due to the efforts of Microsoft and US Cyber Command, over 90% of TrickBot’s command and control (C2) servers have been eliminated. TrickBots’s authors have since moved portions of their code to Linux in attempt to widen the scope of victims. A TrickBot backdoor framework called Anchor was discovered in 2019 using the DNS protocol to secretly communicate with C2 servers. In July, a variant dubbed Anchor_DNS was discovered being ported to a Linux backdoor version called Anchor_Linux. Even after the initial takedown of the TrickBot, Microsoft expected the threat actors to attempt to continue their operation.
TrickBot Linux Variants Active in the wild Despite Recent Takedown
Researches decoded the flow of communication between the bot and the C2 server. The client sends “c2_command 0” to the server along with information about the compromised system and the bot ID, which then responds with the message “signal /1/” back to the bot. As an acknowledgment, the bot sends the same message back to the C2, following which the server remotely issues the command to be executed on the client. In the last step, the bot sends back the result of the execution to the C2 server. A researcher from Netscout security noted that this process shows the bot’s “considerable capabilities, but also their ability to constantly innovate, as evidenced by their move to Linux.”